SAML Authentication Extension Group Membership

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

SAML Authentication Extension Group Membership

MARTINEZ, ARIEL

Does anyone know if the SAML extension is supposed to take the group membership of a user and associate it automatically to a group defined in Guacamole that has the same name?  This is what happens with the LDAP authentication extension, not sure if something similar applies to the SAML one.

 

Thanks


This email may contain confidential material. If you were not an intended recipient, please notify the sender and delete all copies. Eco-Tip: Think green before you print.

Reply | Threaded
Open this post in threaded view
|

Re: SAML Authentication Extension Group Membership

vnick
On Sun, Oct 4, 2020 at 3:45 PM MARTINEZ, ARIEL <[hidden email]> wrote:

Does anyone know if the SAML extension is supposed to take the group membership of a user and associate it automatically to a group defined in Guacamole that has the same name?  This is what happens with the LDAP authentication extension, not sure if something similar applies to the SAML one.

 


The SAML extension does not currently implement Group membership.

-Nick

Reply | Threaded
Open this post in threaded view
|

Re: SAML Authentication Extension Group Membership

mjumper
Administrator
On Sun, Oct 4, 2020, 12:49 Nick Couchman <[hidden email]> wrote:
On Sun, Oct 4, 2020 at 3:45 PM MARTINEZ, ARIEL <[hidden email]> wrote:

Does anyone know if the SAML extension is supposed to take the group membership of a user and associate it automatically to a group defined in Guacamole that has the same name?  This is what happens with the LDAP authentication extension, not sure if something similar applies to the SAML one.

The SAML extension does not currently implement Group membership.

Doesn't it? The "saml-group-attribute" property defines the SAML attribute used to retrieve groups.

As for group identity, for any extension implementing groups, Guacamole should be using the name of the group to determine identity. This should happen regardless of whether the source of those groups is LDAP, SAML, etc. It's all opaque to guac.

- Mike

Reply | Threaded
Open this post in threaded view
|

Re: SAML Authentication Extension Group Membership

vnick
On Sun, Oct 4, 2020 at 4:01 PM Mike Jumper <[hidden email]> wrote:
On Sun, Oct 4, 2020, 12:49 Nick Couchman <[hidden email]> wrote:
On Sun, Oct 4, 2020 at 3:45 PM MARTINEZ, ARIEL <[hidden email]> wrote:

Does anyone know if the SAML extension is supposed to take the group membership of a user and associate it automatically to a group defined in Guacamole that has the same name?  This is what happens with the LDAP authentication extension, not sure if something similar applies to the SAML one.

The SAML extension does not currently implement Group membership.

Doesn't it? The "saml-group-attribute" property defines the SAML attribute used to retrieve groups.


Ah, yes, you're correct - I think I'm so used to answering that way for the other SSO modules that it was an automatic response...

-Nick

Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: SAML Authentication Extension Group Membership

MARTINEZ, ARIEL

Ok thanks. I wanted to make sure to avoid troubleshooting something that was expected behavior.

 

I have debug logging enabled and am able to see the group names coming from my identity provider. The line says “Group” so I set saml-group-attribute: Group in guacamole.properties (documentation says Groups is default) But when I log in, the group membership is not recognized and connections and permissions are not being applied.

 

Is there any other way to troubleshoot why the group membership is not being recognized?

 

Thanks

 

 

From: Nick Couchman <[hidden email]>
Sent: Sunday, October 4, 2020 4:02 PM
To: [hidden email]
Subject: [EXTERNAL] Re: SAML Authentication Extension Group Membership

 

WARNING: This email originated outside the Hostos campus. Do not click links or open attachments unless you recognize the sender and know the content is safe. Never provide login credentials, financial or sensitive details in response to an email or by clicking on a link. Report suspicious emails to: [hidden email]

 

On Sun, Oct 4, 2020 at 4:01 PM Mike Jumper <[hidden email]> wrote:

On Sun, Oct 4, 2020, 12:49 Nick Couchman <[hidden email]> wrote:

On Sun, Oct 4, 2020 at 3:45 PM MARTINEZ, ARIEL <[hidden email]> wrote:

Does anyone know if the SAML extension is supposed to take the group membership of a user and associate it automatically to a group defined in Guacamole that has the same name?  This is what happens with the LDAP authentication extension, not sure if something similar applies to the SAML one.

The SAML extension does not currently implement Group membership.

 

Doesn't it? The "saml-group-attribute" property defines the SAML attribute used to retrieve groups.

 

 

Ah, yes, you're correct - I think I'm so used to answering that way for the other SSO modules that it was an automatic response...

 

-Nick

Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: SAML Authentication Extension Group Membership

MARTINEZ, ARIEL

I reviewed the settings in guacamole.properties and everything seems to be in order (I left the sections for LDAP in place). Debug logging shows the line: SAMLResponse has attributes: {http://schemas.xmlsoap.org/claims/Group=[CN=......OU=......DC=........]


In the extensions folder, I have the following in this order:

guacamole-auth-jdbc-mysql-1.2.0.jar

guacamole-auth-ldap-1.2.0.jar

guacamole-auth-saml-1.2.0.jar


I'm out of ideas of what or how to troubleshoot any further.


Thanks



________________________________
From: MARTINEZ, ARIEL
Sent: Sunday, October 4, 2020 4:13 PM
To: [hidden email]
Subject: RE: [EXTERNAL] Re: SAML Authentication Extension Group Membership

Ok thanks. I wanted to make sure to avoid troubleshooting something that was expected behavior.

I have debug logging enabled and am able to see the group names coming from my identity provider. The line says "Group" so I set saml-group-attribute: Group in guacamole.properties (documentation says Groups is default) But when I log in, the group membership is not recognized and connections and permissions are not being applied.

Is there any other way to troubleshoot why the group membership is not being recognized?

Thanks


From: Nick Couchman <[hidden email]>
Sent: Sunday, October 4, 2020 4:02 PM
To: [hidden email]
Subject: [EXTERNAL] Re: SAML Authentication Extension Group Membership

WARNING: This email originated outside the Hostos campus. Do not click links or open attachments unless you recognize the sender and know the content is safe. Never provide login credentials, financial or sensitive details in response to an email or by clicking on a link. Report suspicious emails to: [hidden email]<mailto:[hidden email]>

On Sun, Oct 4, 2020 at 4:01 PM Mike Jumper <[hidden email]<mailto:[hidden email]>> wrote:
On Sun, Oct 4, 2020, 12:49 Nick Couchman <[hidden email]<mailto:[hidden email]>> wrote:
On Sun, Oct 4, 2020 at 3:45 PM MARTINEZ, ARIEL <[hidden email]<mailto:[hidden email]>> wrote:
Does anyone know if the SAML extension is supposed to take the group membership of a user and associate it automatically to a group defined in Guacamole that has the same name?  This is what happens with the LDAP authentication extension, not sure if something similar applies to the SAML one.
The SAML extension does not currently implement Group membership.

Doesn't it? The "saml-group-attribute" property defines the SAML attribute used to retrieve groups.


Ah, yes, you're correct - I think I'm so used to answering that way for the other SSO modules that it was an automatic response...

-Nick

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: SAML Authentication Extension Group Membership

MARTINEZ, ARIEL

Is there anything else that can be tried to troubleshoot that anyone can think of?

 

Thanks

 

 

From: MARTINEZ, ARIEL
Sent: Monday, October 5, 2020 11:37 AM
To: [hidden email]
Subject: Re: [EXTERNAL] Re: SAML Authentication Extension Group Membership

 

 

I reviewed the settings in guacamole.properties and everything seems to be in order (I left the sections for LDAP in place). Debug logging shows the line: SAMLResponse has attributes: {http://schemas.xmlsoap.org/claims/Group=[CN=......OU=......DC=........]

 

In the extensions folder, I have the following in this order:

guacamole-auth-jdbc-mysql-1.2.0.jar

guacamole-auth-ldap-1.2.0.jar

guacamole-auth-saml-1.2.0.jar

 

I'm out of ideas of what or how to troubleshoot any further.

 

Thanks

 


From: MARTINEZ, ARIEL
Sent: Sunday, October 4, 2020 4:13 PM
To: [hidden email]
Subject: RE: [EXTERNAL] Re: SAML Authentication Extension Group Membership

 

Ok thanks. I wanted to make sure to avoid troubleshooting something that was expected behavior.

 

I have debug logging enabled and am able to see the group names coming from my identity provider. The line says “Group” so I set saml-group-attribute: Group in guacamole.properties (documentation says Groups is default) But when I log in, the group membership is not recognized and connections and permissions are not being applied.

 

Is there any other way to troubleshoot why the group membership is not being recognized?

 

Thanks

 

 

From: Nick Couchman <[hidden email]>
Sent: Sunday, October 4, 2020 4:02 PM
To: [hidden email]
Subject: [EXTERNAL] Re: SAML Authentication Extension Group Membership

 

WARNING: This email originated outside the Hostos campus. Do not click links or open attachments unless you recognize the sender and know the content is safe. Never provide login credentials, financial or sensitive details in response to an email or by clicking on a link. Report suspicious emails to: [hidden email]

 

On Sun, Oct 4, 2020 at 4:01 PM Mike Jumper <[hidden email]> wrote:

On Sun, Oct 4, 2020, 12:49 Nick Couchman <[hidden email]> wrote:

On Sun, Oct 4, 2020 at 3:45 PM MARTINEZ, ARIEL <[hidden email]> wrote:

Does anyone know if the SAML extension is supposed to take the group membership of a user and associate it automatically to a group defined in Guacamole that has the same name?  This is what happens with the LDAP authentication extension, not sure if something similar applies to the SAML one.

The SAML extension does not currently implement Group membership.

 

Doesn't it? The "saml-group-attribute" property defines the SAML attribute used to retrieve groups.

 

 

Ah, yes, you're correct - I think I'm so used to answering that way for the other SSO modules that it was an automatic response...

 

-Nick

Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: SAML Authentication Extension Group Membership

Simon Müller
This post was updated on .
Hey there,

I am also trying to find a solution for this topic.

Thanks to you, Ariel, I have successfully achieved logging in by
transforming the claim in my IdP (ADFS) to Name Id - Format "Email-Address".
Now I am struggling with the fact that for every user logging in, I would
have to add them manually to a group and also add every connection to every
group manually.

That's where saml-group-attribute could come in handy...So I configured
"Send group membership as claim" as an additional claim issuance rule and
the debug messages look promising so far:

Oct 20 16:52:32 srv.fqdn.de server[14660]: 16:52:32.562 [http-bio-8080-exec-33] DEBUG c.onelogin.saml2.authn.SamlResponse - SAMLResponse has NameID --> anders.gehza
uch@testad.fqdn.de
Oct 20 16:52:32 srv.fqdn.de server[14660]: 16:52:32.565 [http-bio-8080-exec-33] DEBUG c.onelogin.saml2.authn.SamlResponse - SAMLResponse has attributes: {http://sch
emas.xmlsoap.org/claims/Group=[adfs-users], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=[Anders], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=[Gehzauch]
}
Oct 20 16:52:32 srv.fqdn.de server[14660]: 16:52:32.567 [http-bio-8080-exec-33] INFO  o.a.g.r.auth.AuthenticationService - User "anders.gehzauch@testad.fqdn.de" successfully authenticated from <client-ip>.


In my guacamole.properties, I explicitly set "saml-group-attribute: Group"

Of course I created this particular group beforehand in my guacamole-server
currently backed by mysql.
It seems the attributes are not honored at all. It would be really great if
I could fill a mininum of attributes like "Full
Name","E-Mail","Organization", "Department".

Another question that arises: How can I still use the REST API with the
saml-auth enabled? In Jira I read something about the idea to provide an
extra button for the SSO authentication so that you can still login with
local users. Is there any intel when and if this will be possible in the
future?

PS: Logging out currently is not possible at all, am I right? But that is my
least concern. ;)



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Reply | Threaded
Open this post in threaded view
|

RE: [EXTERNAL] Re: SAML Authentication Extension Group Membership

MARTINEZ, ARIEL
Hi Simon,

The behavior you described is pretty much what I have experienced. Regarding the logouts, that is not working for me either. Perhaps these are ADFS specific issues as opposed to SAML in general.


-----Original Message-----
From: Simon Müller <[hidden email]>
Sent: Tuesday, October 20, 2020 11:26 AM
To: [hidden email]
Subject: RE: [EXTERNAL] Re: SAML Authentication Extension Group Membership

Hey there,

I am also trying to find a solution for this topic.

Thanks to you, Ariel, I have successfully achieved logging in by transforming the claim in my IdP (ADFS) to Name Id - Format "Email-Address".
Now I am struggling with the fact that for every user logging in, I would have to add them manually to a group and also add every connection to every group manually.

That's where saml-group-attribute could come in handy...So I configured "Send group membership as claim" as an additional claim issuance rule and the debug messages look promising so far:



In my guacamole.properties, I explicitly set "saml-group-attribute: Group"

Of course I created this particular group beforehand in my guacamole-server currently backed by mysql.
It seems the attributes are not honored at all. It would be really great if I could fill a mininum of attributes like "Full Name","E-Mail","Organization", "Department".

Another question that arises: How can I still use the REST API with the saml-auth enabled? In Jira I read something about the idea to provide an extra button for the SSO authentication so that you can still login with local users. Is there any intel when and if this will be possible in the future?

PS: Logging out currently is not possible at all, am I right? But that is my least concern. ;)



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]